Cisco Vipteal SD-WAN实验

前段时间一直再看思科的SD-WAN介绍,都是基于胶片。想找个环境来具体实验下,查看很多资料都是基于官网文档,看起来确实很吃力。只能摸索这做个“简单”的实验,后续的实验慢慢研究,此文做了个记录。

实验目的

将Site1个Site2两路由的环回口1.1.1.1和2.2.2.2之间能正常通信。
其实这么“简单”的一件小事需要费一些周折。。。

本次实验将分为四个部分
1,vManage、vBond、vSmart、vEdge及其他设备的初始化
2,vManage、vBond、vSmart、vEdge的证书处理
3,vManage添加vBond、vSmart、vEdge设备
4,两站点之间路由做通
注:实验所需的环境和文件及怎么搭建不在此做其他说明

实验拓扑

在这里插入图片描述
设备的互联如上图所示,vManage接了一个带外便于远程使用Web管理。

设备地址及相关信息

设备 站点 ID System-IP 接口IP 版本
vManage 100 100.1.1.1 10.1.1.1 16.3.2->17.2.0
vBond 100 100.1.1.2 10.1.1.2 16.3.2->17.2.0
vSmart 100 100.1.1.3 10.1.1.3 16.3.2->17.2.0
vEdge1 1 101.1.1.1 172.16.1.1 17.2.0
Site1 1.1.1.1 192.168.1.1
vEdge2 2 102.1.1.1 172.16.2.1 17.2.0
Site2 2.2.2 192.168.2.1

重点: 这里需要说明下vManage、vBond、vSmart是先用16.3.2然后升级到17.2.0。因为vManage到17.X.X及以后的版本需要SmartAccount账号到思科官网生成vEdge的认证文件导入vManage才能添加vEdge,而17.X.X之前的版本可以手动创建编辑CSV文件到入到vManage。vEdge用17.X.X是因为之前的版本不能使用自己生成的证书验证。
所以此处是设备先都安装证书然后添加vEdge的认证文件,等vManage升级到17.2.0后再添加vEdge设备。但是一旦设备升级到17.2.0后将无法手动编辑添加vEdge认证文件。

vManage、vBond、vSmart、vEdge及其他设备的初始化

vManage初始配置

system
 host-name             vmanage
 system-ip             100.1.1.1
 site-id               100
 organization-name     iteachs.com
 vbond 10.1.1.2
vpn 0
 interface eth0
  ip address 10.1.1.1/24
  no tunnel-interface
  no shutdown
 !
 ip route 0.0.0.0/0 10.1.1.254
!
vpn 512
 interface eth1
  ip address 192.168.188.61/24
  no shutdown
 !
 ip route 0.0.0.0/0 192.168.188.254
!
commit and-quit

vBond初始配置

system
 host-name               vbond
 system-ip               100.1.1.2
 organization-name       iteachs.com
 vbond 10.1.1.2 local vbond-only
vpn 0
 interface ge0/0
  ip address 10.1.1.2/24
  no tunnel-interface
  no shutdown
 !
 ip route 0.0.0.0/0 10.1.1.254
!
commit and-quit

vSmart初始配置

system
 host-name             vsmart
 system-ip             100.1.1.3
 site-id               100
 organization-name     iteachs.com
 vbond 10.1.1.2
!
 vpn 0
 interface eth0
  ip address 10.1.1.3/24
  no tunnel-interface
  no shutdown
 !
 ip route 0.0.0.0/0 10.1.1.254
!
commit and-quit

vEdge1初始配置

system
 host-name               vedge1
 system-ip               101.1.1.1
 site-id                 1
 organization-name       iteachs.com
 vbond 10.1.1.2
 !
vpn 0
 interface ge0/0
  ip address 172.16.1.1/24
  no tunnel-interface
  no shutdown
 !
 ip route 0.0.0.0/0 172.16.1.254
!
vpn 10
 interface ge0/1
  ip address 192.168.1.254/24
  no shutdown
 !
 ip route 0.0.0.0/0 vpn 0
 !
!
commit and-quit

Site1初始配置

version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Site1
!
enable secret 4 X4ZqtPJ///KxuEWxHSsJrv3beQVnz2ise/xj8fF6eFU
!
aaa new-model
!
no ip domain lookup
ip cef
!
username admin privilege 15 secret 4 X4ZqtPJ///KxuEWxHSsJrv3beQVnz2ise/xj8fF6eFU
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface Ethernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
router ospf 1
 router-id 1.1.1.1
 passive-interface default
 no passive-interface Ethernet0/0
!
end

vEdge2初始配置

system
 host-name               vedge2
 system-ip               102.1.1.1
 site-id                 2
 organization-name       iteachs.com
 vbond 10.1.1.2
 !
vpn 0
 interface ge0/0
  ip address 172.16.2.1/24
  no tunnel-interface
  no shutdown
 !
 ip route 0.0.0.0/0 172.16.2.254
!
vpn 10
 interface ge0/1
  ip address 192.168.2.254/24
  no shutdown
 !
 ip route 0.0.0.0/0 vpn 0
 !
!
commit and-quit

Site2初始配置

version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Site2
!
enable secret 4 X4ZqtPJ///KxuEWxHSsJrv3beQVnz2ise/xj8fF6eFU
!
aaa new-model
!
no ip domain lookup
ip cef
!
username admin privilege 15 secret 4 X4ZqtPJ///KxuEWxHSsJrv3beQVnz2ise/xj8fF6eFU
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface Ethernet0/0
 ip address 192.168.2.1 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
router ospf 1
 router-id 2.2.2.2
 passive-interface default
 no passive-interface Ethernet0/0
!
end

Internet配置

version 15.2
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Internet
!
enable secret 4 X4ZqtPJ///KxuEWxHSsJrv3beQVnz2ise/xj8fF6eFU
!
aaa new-model
!
no ip domain lookup
ip cef
!
username admin privilege 15 secret 4 X4ZqtPJ///KxuEWxHSsJrv3beQVnz2ise/xj8fF6eFU
!
interface Loopback100
 ip address 100.100.100.100 255.255.255.255
!#模拟公网访问测试
interface Ethernet0/0
 ip address 10.1.1.254 255.255.255.0
!#接管理端设备
interface Ethernet0/1
 ip address 172.16.1.254 255.255.255.0
!#接Site1端设备
interface Ethernet0/2
 ip address 172.16.2.254 255.255.255.0
!#接Site2端设备
no ip http server
no ip http secure-server
!
no cdp run
!
end

以上配置完成之后,设备之间的直连可以互通,vEdge和vManage、vBond、vSmart都可以互通,但是OSPF没有邻居、Site站点内部之间无法互通。
在这里插入图片描述
在这里插入图片描述

vManage、vBond、vSmart、vEdge的证书处理

处理这些设备的证书需要证书服务器,你可以使用Cisco IOS、Windos Server或者其他证书服务器。我这为了简单实验就直接用vManage的openssl来签名和发布证书,生产环境不能使用。

生成根证书

先产生一个key,长度2048

vshell
openssl genrsa -out ROOTCA.key 2048

产生根证书

openssl req -x509 -new -nodes -key ROOTCA.key -sha256 -days 1024 \
    -subj "/C=CN/ST=Nanjing/L=Jiangsu/O=iteachs.com/CN=ca.local" \
    -out ROOTCA.pem

以下为输出

vmanage# vshell
vmanage:~$
vmanage:~$ openssl genrsa -out ROOTCA.key 2048
Generating RSA private key, 2048 bit long modulus
.............+++
..................................+++
e is 65537 (0x10001)
vmanage:~$ openssl req -x509 -new -nodes -key ROOTCA.key -sha256 -days 1024 \
>     -subj "/C=CN/ST=Nanjing/L=Jiangsu/O=iteachs.com/CN=ca.local" \
>     -out ROOTCA.pem
vmanage:~$
vmanage:~$ dir
ROOTCA.key  ROOTCA.pem  archive_id_rsa.pub
vmanage:~$

查看vManage默认的根证书和个人证书

vmanage# show certificate root-ca-cert 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            6e:cc:7a:a5:a7:03:20:09:b8:ce:bc:f4:e9:52:d4:91
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
        Validity
            Not Before: Feb  8 00:00:00 2010 GMT
            Not After : Feb  7 23:59:59 2020 GMT
        Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Secure Server CA - G3
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b1:87:84:1f:c2:0c:45:f5:bc:ab:25:97:a7:ad:
                    a2:3e:9c:ba:f6:c1:39:b8:8b:ca:c2:ac:56:c6:e5:
                    bb:65:8e:44:4f:4d:ce:6f:ed:09:4a:d4:af:4e:10:
                    9c:68:8b:2e:95:7b:89:9b:13:ca:e2:34:34:c1:f3:
                    5b:f3:49:7b:62:83:48:81:74:d1:88:78:6c:02:53:
                    f9:bc:7f:43:26:57:58:33:83:3b:33:0a:17:b0:d0:
                    4e:91:24:ad:86:7d:64:12:dc:74:4a:34:a1:1d:0a:
                    ea:96:1d:0b:15:fc:a3:4b:3b:ce:63:88:d0:f8:2d:
                    0c:94:86:10:ca:b6:9a:3d:ca:eb:37:9c:00:48:35:
                    86:29:50:78:e8:45:63:cd:19:41:4f:f5:95:ec:7b:
                    98:d4:c4:71:b3:50:be:28:b3:8f:a0:b9:53:9c:f5:
                    ca:2c:23:a9:fd:14:06:e8:18:b4:9a:e8:3c:6e:81:
                    fd:e4:cd:35:36:b3:51:d3:69:ec:12:ba:56:6e:6f:
                    9b:57:c5:8b:14:e7:0e:c7:9c:ed:4a:54:6a:c9:4d:
                    c5:bf:11:b1:ae:1c:67:81:cb:44:55:33:99:7f:24:
                    9b:3f:53:45:7f:86:1a:f3:3c:fa:6d:7f:81:f5:b8:
                    4a:d3:f5:85:37:1c:b5:a6:d0:09:e4:18:7b:38:4e:
                    fa:0f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Authority Information Access: 
                OCSP - URI:http://ocsp.verisign.com

            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.113733.1.7.23.3
                  CPS: https://www.verisign.com/cps
                  User Notice:
                    Explicit Text: https://www.verisign.com/rpa

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.verisign.com/pca3-g5.crl

            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            1.3.6.1.5.5.7.1.12: 
                0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif
            X509v3 Subject Alternative Name: 
                DirName:/CN=VeriSignMPKI-2-6
            X509v3 Subject Key Identifier: 
                0D:44:5C:16:53:44:C1:82:7E:1D:20:AB:25:F4:01:63:D8:BE:79:A5
            X509v3 Authority Key Identifier: 
                keyid:7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33

    Signature Algorithm: sha1WithRSAEncryption
         0c:83:24:ef:dd:c3:0c:d9:58:9c:fe:36:b6:eb:8a:80:4b:d1:
         a3:f7:9d:f3:cc:53:ef:82:9e:a3:a1:e6:97:c1:58:9d:75:6c:
         e0:1d:1b:4c:fa:d1:c1:2d:05:c0:ea:6e:b2:22:70:55:d9:20:
         33:40:33:07:c2:65:83:fa:8f:43:37:9b:ea:0e:9a:6c:70:ee:
         f6:9c:80:3b:d9:37:f4:7a:6d:ec:d0:18:7d:49:4a:ca:99:c7:
         19:28:a2:be:d8:77:24:f7:85:26:86:6d:87:05:40:41:67:d1:
         27:3a:ed:dc:48:1d:22:cd:0b:0b:8b:bc:f4:b1:7b:fd:b4:99:
         a8:e9:76:2a:e1:1a:2d:87:6e:74:d3:88:dd:1e:22:c6:df:16:
         b6:2b:82:14:0a:94:5c:f2:50:ec:af:ce:ff:62:37:0d:ad:65:
         d3:06:41:53:ed:02:14:c8:b5:58:28:a1:ac:e0:5b:ec:b3:7f:
         95:4a:fb:03:c8:ad:26:db:e6:66:78:12:4a:d9:9f:42:fb:e1:
         98:e6:42:83:9b:8f:8f:67:24:e8:61:19:b5:dd:cd:b5:0b:26:
         05:8e:c3:6e:c4:c8:75:b8:46:cf:e2:18:06:5e:a9:ae:a8:81:
         9a:47:16:de:0c:28:6c:25:27:b9:de:b7:84:58:c6:1f:38:1e:
         a4:c4:cb:66
vmanage#  
vmanage# show certificate installed 
vmanage# 

可以看到默认是有根证书但是没有个人证书。我们一会将所有设备的默认根证书删除使用我们自己生成的根证书然后再申请个人证书。

删除原有根证书并安装新根证书

vManage设备操作

vmanage# request root-cert-chain uninstall 
Successfully uninstalled the root certificate chain
vmanage# 
vmanage# request root-cert-chain install home/admin/ROOTCA.pem 
Uploading root-ca-cert-chain via VPN 0
Copying ... /home/admin/ROOTCA.pem via VPN 0
Successfully installed the root certificate chain
vmanage# 

vBond、vSmart、vEdge1、vEdge2设备操作

vedge2# request root-cert-chain uninstall
CMD_MAAPI is true [mtid = 0]
CMD_MAAPI is true [mtid = 407]
CMD_MAAPI is true [mtid = 407]
CMD_MAAPI is true [mtid = 0]
Successfully uninstalled the root certificate chain
vedge2#
vedge2#
vedge2# request root-cert-chain install scp://admin@10.1.1.1:/home/admin/ROOTCA.pem
Uploading root-ca-cert-chain via VPN 0
Copying ... admin@10.1.1.1:/home/admin/ROOTCA.pem via VPN 0
Warning: Permanently added '10.1.1.1' (ECDSA) to the list of known hosts.
viptela 16.3.2

admin@10.1.1.1's password:
ROOTCA.pem                                    100% 1285     1.7MB/s   00:00
CMD_MAAPI is true [mtid = 0]
CMD_MAAPI is true [mtid = 411]
CMD_MAAPI is true [mtid = 411]
CMD_MAAPI is true [mtid = 0]
CMD_MAAPI is true [mtid = 0]
CMD_MAAPI is true [mtid = 415]
CMD_MAAPI is true [mtid = 415]
CMD_MAAPI is true [mtid = 0]
Successfully installed the root certificate chain
vedge2#

操作完成后查看根证书

vmanage# show certificate root-ca-cert 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            88:db:55:e2:55:58:83:e9
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=Nanjing, L=Jiangsu, O=iteachs.com, CN=ca.local
        Validity
            Not Before: Mar  5 08:38:12 2020 GMT
            Not After : Dec 24 08:38:12 2022 GMT
        Subject: C=CN, ST=Nanjing, L=Jiangsu, O=iteachs.com, CN=ca.local
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d6:ae:7f:bd:a3:6b:86:a0:bb:15:a0:8d:da:37:
                    59:8a:d3:d3:43:f5:50:52:82:fd:63:36:ba:e9:32:
                    69:51:e5:5e:58:87:ae:0f:11:1b:65:56:8a:85:a1:
                    e9:02:39:4d:e7:bd:8d:e9:45:e3:20:98:66:57:ab:
                    da:7d:81:23:a4:07:f3:b5:6a:a4:69:0a:57:d3:8b:
                    50:fb:d7:9c:2b:2c:ba:be:18:62:59:6f:f6:57:55:
                    84:1a:69:2d:39:4f:7e:55:9b:5c:9a:68:67:61:03:
                    89:ca:26:76:14:8f:5d:72:af:3f:2b:9b:03:c1:b0:
                    59:72:cb:8d:2f:76:b7:d8:9f:fa:bd:38:ed:5b:db:
                    63:f5:b3:0a:49:db:6a:e9:eb:57:ba:7c:99:60:09:
                    e5:d9:78:e5:a2:0a:9d:9a:c3:32:14:c5:da:65:73:
                    11:4a:81:89:b6:3f:02:32:72:db:7d:a7:1b:b1:f1:
                    ad:27:94:5b:ea:fe:f4:74:60:04:e4:13:2b:54:9e:
                    c9:29:67:b4:c5:e1:cd:7d:69:70:79:27:6d:e9:8d:
                    34:16:f1:39:0b:2c:51:14:04:2b:a7:97:9f:ed:04:
                    2a:05:47:d1:80:7a:91:5f:48:f7:91:fa:12:b0:e9:
                    9f:37:d2:0a:a3:96:fb:33:54:bb:03:44:62:94:34:
                    f9:37
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                A7:B6:B0:03:68:EA:9C:94:6D:7C:98:D7:23:7D:60:98:51:F2:35:E9
            X509v3 Authority Key Identifier: 
                keyid:A7:B6:B0:03:68:EA:9C:94:6D:7C:98:D7:23:7D:60:98:51:F2:35:E9

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         b9:fa:f3:b8:54:5a:5d:c0:70:b7:40:64:a3:76:a8:bb:32:9f:
         fe:a1:e4:4d:ba:cc:5d:dc:32:24:38:ff:01:3b:52:a2:aa:07:
         87:84:d8:83:14:1f:22:72:aa:49:1c:10:93:74:a7:24:45:60:
         9b:0a:a7:af:a7:68:a2:70:28:f5:d2:ec:8b:67:83:68:de:67:
         a0:da:0a:1d:b4:33:b2:cd:39:36:31:f8:20:04:ac:1a:1f:be:
         20:50:f4:3d:bf:23:2c:83:9d:8d:49:a2:88:59:e7:e1:5a:f3:
         d9:9a:20:13:f2:46:cc:2b:a0:6d:ac:2e:b0:a4:a5:0c:41:e3:
         06:51:d7:ad:26:6c:68:c0:8c:e1:f3:ab:8b:5a:5b:ff:b4:45:
         29:d4:b6:dc:dc:b4:f5:62:51:bb:77:19:fe:4e:12:f5:d3:10:
         c9:2c:9b:d2:91:a7:61:bf:e3:3d:2d:f6:73:b5:fc:a4:b6:92:
         9a:07:1f:19:98:67:34:df:2f:1b:83:27:91:a9:f6:e5:20:a4:
         c9:6b:a9:a5:fe:b3:84:77:2d:ea:f8:f6:99:32:03:40:ac:b9:
         76:0c:08:86:f9:38:b1:8b:70:bb:66:75:88:72:c9:4e:44:34:
         05:17:ea:69:c5:c8:d3:9b:33:5f:77:27:3e:7b:d7:5a:83:66:
         3d:43:c3:4f
vmanage# 

为vManage、vBond、vSmart、vEdge产生证书申请请求

vManage产生证书请求

vmanage# request csr upload /home/admin/vmanage.csr
Uploading CSR via VPN 0
Enter organization name            : iteachs.com
Re-enter organization name         : iteachs.com
Generating private/public pair and CSR for this vmanage device
Generating CSR for this vmanage device   ........[DONE]
Copying ... /home/admin/vmanage.csr via VPN 0
CSR upload successful
vmanage#

注意这个输入的组织很重要,必须和配置里面一样。

其他设备产生证书申请请求

不一一演示,贴上命令。

vBond:
request csr upload scp://admin@10.1.1.1:/home/admin/vbond.csr

vSmart:
request csr upload scp://admin@10.1.1.1:/home/admin/vsmart.csr

vEdge1:
request csr upload scp://admin@10.1.1.1:/home/admin/vedge1.csr

vEdge2:
request csr upload scp://admin@10.1.1.1:/home/admin/vedge2.csr

为vManage、vBond、vSmart、vEdge签发证书

vmanage# 
vmanage# 
vmanage# vshell 
vmanage:~$ 
vmanage:~$ openssl x509 -req -in vmanage.csr \
>     -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial \
>     -out vmanage.crt -days 500 -sha256
Signature ok
subject=/C=US/ST=California/L=San Jose/OU=iteachs.com/O=vIPtela Inc/CN=vmanage_1d83a485-e824-4836-ab82-00db7bea4c1c_0.viptela.com/emailAddress=support@viptela.com
Getting CA Private Key
vmanage:~$ 
vmanage:~$ openssl x509 -req -in vbond.csr \
>     -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial \
>     -out vbond.crt -days 500 -sha256
Signature ok
subject=/C=US/ST=California/L=San Jose/OU=iteachs.com/O=vIPtela Inc/CN=vbond_d797a9bd-eef2-40a2-9bf5-953b6525947c_0.viptela.com/emailAddress=support@viptela.com
Getting CA Private Key
vmanage:~$ 
vmanage:~$ openssl x509 -req -in vsmart.csr \
>     -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial \
>     -out vsmart.crt -days 500 -sha256
Signature ok
subject=/C=US/ST=California/L=San Jose/OU=iteachs.com/O=vIPtela Inc/CN=vsmart_1cda07a5-81a4-486b-8cef-426dbd285d20_0.viptela.com/emailAddress=support@viptela.com
Getting CA Private Key
vmanage:~$ 
vmanage:~$ 
vmanage:~$ openssl x509 -req -in vedge1.csr \
>     -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial \
>     -out vedge1.crt -days 500 -sha256
Signature ok
subject=/C=US/ST=California/L=San Jose/OU=iteachs.com/O=vIPtela Inc/CN=vedge-49918191-566f-4ef1-875c-c8557c317275-0.viptela.com/emailAddress=support@viptela.com
Getting CA Private Key
vmanage:~$ 
vmanage:~$ 
vmanage:~$ openssl x509 -req -in vedge2.csr \
>     -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial \
>     -out vedge2.crt -days 500 -sha256
Signature ok
subject=/C=US/ST=California/L=San Jose/OU=iteachs.com/O=vIPtela Inc/CN=vedge-4ea4eb5d-dfba-4e33-8ea8-da22db5446a2-0.viptela.com/emailAddress=support@viptela.com
Getting CA Private Key
vmanage:~$ 
vmanage:~$ dir
ROOTCA.key  ROOTCA.srl          vbond.crt  vedge1.crt  vedge2.crt  vmanage.crt  vsmart.crt
ROOTCA.pem  archive_id_rsa.pub  vbond.csr  vedge1.csr  vedge2.csr  vmanage.csr  vsmart.csr
vmanage:~$ 
vmanage:~$ 

为vManage、vBond、vSmart、vEdge安装证书

vManage安装证书

vmanage# request certificate install home/admin/vmanage.crt 
Installing certificate via VPN 0
Copying ... /home/admin/vmanage.crt via VPN 0
Successfully installed the certificate

vBond、vSmart、vEdge安装证书

vBond:
request certificate install scp://admin@10.1.1.1:/home/admin/vbond.crt
vSmart:
request certificate install scp://admin@10.1.1.1:/home/admin/vsmart.crt
vEdge1:
request certificate install scp://admin@10.1.1.1:/home/admin/vedge1.crt
vEdge2:
request certificate install scp://admin@10.1.1.1:/home/admin/vedge2.crt

过程不一一贴出
查看下安装的个人证书

vmanage# show certificate installed 
Server certificate
------------------

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            f2:f9:b9:94:7b:e8:20:84
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=Nanjing, L=Jiangsu, O=iteachs.com, CN=ca.local
        Validity
            Not Before: Mar  5 08:59:05 2020 GMT
            Not After : Jul 18 08:59:05 2021 GMT
        Subject: C=US, ST=California, L=San Jose, OU=iteachs.com, O=vIPtela Inc, CN=vmanage_1d83a485-e824-4836-ab82-00db7bea4c1c_0.viptela.com/emailAddress=support@viptela.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d1:30:e0:3a:02:a9:a3:26:72:0f:1c:04:3c:63:
                    9d:b5:d5:7f:13:49:22:9e:82:2f:3d:60:81:c2:0c:
                    ae:88:7a:8f:c0:15:0b:0f:fd:2b:b0:90:e1:a3:b8:
                    92:b6:12:dc:1f:88:78:ca:0f:6f:a9:95:26:6d:dd:
                    08:6f:10:f9:48:10:8a:53:12:c8:39:d2:59:7a:05:
                    ff:68:20:bf:8f:68:96:8d:6e:99:11:6f:11:64:8c:
                    1b:53:e6:a6:5c:e0:aa:fc:00:1f:0d:78:06:7d:84:
                    29:b2:1a:f6:d7:33:46:f2:32:21:ea:38:8a:08:05:
                    c4:f3:5e:58:9d:f7:db:03:05:7e:c7:44:6b:cc:38:
                    74:25:c7:f0:03:d6:b1:51:20:4e:0f:66:cb:81:6f:
                    5d:31:50:02:87:26:b5:c7:13:fe:44:52:6e:2e:44:
                    54:f6:32:4d:00:4d:6a:c3:c4:7e:e0:93:80:48:ab:
                    23:e4:2c:be:3f:73:b6:c0:a8:92:d6:44:8c:91:57:
                    35:c1:6f:ba:f4:8e:6d:d4:34:11:a4:c5:f7:f3:bf:
                    c1:c6:ee:83:95:41:f5:94:66:a5:99:6d:71:76:00:
                    44:8e:41:63:c3:9e:27:ae:cd:5e:44:07:66:b1:c5:
                    3b:6b:17:22:10:70:a6:f3:f1:10:f8:09:5f:cd:92:
                    eb:e3
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         6d:9d:a3:e7:1c:bd:45:a8:fc:0b:e1:10:27:23:b7:06:7f:75:
         90:4f:aa:ce:9d:22:e1:43:98:c3:3c:66:a2:fc:94:2f:4c:b2:
         9f:7a:f0:5d:6d:ee:5e:4c:11:df:39:e4:b7:1e:75:21:44:6d:
         43:f5:aa:7d:51:bc:9d:87:5c:2d:79:4b:96:b3:f3:a1:f1:27:
         16:64:1b:dd:87:cd:b7:b9:f9:9a:78:e8:9e:4f:6a:8e:b7:fe:
         73:e3:10:6d:e6:f4:b8:a6:77:c8:59:30:cf:65:74:62:96:18:
         8b:9e:01:20:64:74:79:25:b6:33:47:46:43:b1:c6:55:5c:f7:
         ba:80:52:3c:9e:df:82:e8:3a:c9:50:f9:ad:2e:1f:48:8b:ef:
         e8:88:4a:1c:ff:97:e0:00:a1:9b:2e:5c:96:3b:f9:e9:e3:da:
         7e:d3:5f:4f:8b:d5:c8:10:c3:d0:d5:06:f7:51:19:70:e8:25:
         3b:31:b5:88:4d:1b:ac:b6:94:16:a7:05:22:16:b8:cf:1f:36:
         8d:d7:2d:0d:35:9e:2f:1b:7b:d4:8b:a1:f0:61:7d:30:03:2f:
         a4:00:d6:68:9d:53:d2:82:01:39:27:b9:10:5a:28:27:ea:8f:
         e6:ae:51:14:6e:ed:66:8d:28:de:2e:f7:e3:e4:ab:70:41:fc:
         43:4b:9e:bc
vmanage# 

需要说明下,其实在页面下也可以产生CSR和安装证书,但是16.3.2有个bug,在页面下不显示设备的条目,无法点击产生和安装。而且我觉得在命令行下方便点。
所有设备安装完证书之后需要重启。到此简单实验完成了1/3了。
重启完之后使用浏览器登陆vManage。

vManage添加vBond、vSmart、vEdge设备

使用浏览器登陆vManage,默认用户名密码都是admin。
如下图:
在这里插入图片描述
因为之前vManage安装过证书所以设备里面看到直接在线并且显示同步和证书已安装。
在这里插入图片描述
在vManage上配置组织和vBond,并确保证书为手动。
在这里插入图片描述

下面添加vBond和vSmart

在这里插入图片描述
因为之前安装过证书所以不勾选产生CSR。
在这里插入图片描述
完成后如下图

按照同样的方法添加vSmart
在这里插入图片描述
在这里插入图片描述
同样之前安装过证书不需要产生CSR。添加完成如下图:
在这里插入图片描述
之后再证书页面Send to vBond。
在这里插入图片描述
完成后如下图:
在这里插入图片描述

下面安装vEdge List

查看vEdge的证书序列

vedge1# show certificate serial
Chassis number: 49918191-566f-4ef1-875c-c8557c317275 serial number: F2F9B9947BE82087
vedge1#

vedge2# show certificate serial
Chassis number: 4ea4eb5d-dfba-4e33-8ea8-da22db5446a2 serial number: F2F9B9947BE82088
vedge2#

然后将编辑新建个edge-list.csv的文件,内容为:

49918191-566f-4ef1-875c-c8557c317275,F2F9B9947BE82087
4ea4eb5d-dfba-4e33-8ea8-da22db5446a2,F2F9B9947BE82088

有几台设备添加几个。之前说过17.0之前的版本可以这样添加vEdge,之后的版本需要思科智能账号申请然后下载文件进行添加。
编辑完成后将文件上传到vManage。
在这里插入图片描述
在这里插入图片描述
完成后如下
在这里插入图片描述
然后需要Send to Controllers
在这里插入图片描述
完成后如下图:
在这里插入图片描述

打开vManage、vBond、vSmart、vEdge的tunnel-interface。

vManage、vSmart:
vpn 0
 interface eth0
  tunnel-interface
  commit and-quit

vBond、vEdge:
vpn 0
 interface ge0/0
  tunnel-interface
   encapsulation ipsec
   commit and-quit

敲完之后回到主界面上。
在这里插入图片描述
可以看到vSmart和vBond上线,但是vEdge没有上线。不急下面继续。

升级vManage、vSmart和vBond

将所需的文件上传到vManage。

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
上传完成如下图:
在这里插入图片描述

升级vManage

在这里插入图片描述
在这里插入图片描述
成功后如下:
在这里插入图片描述
设置默认版本
在这里插入图片描述
在这里插入图片描述
激活vManage的新版本
在这里插入图片描述
在这里插入图片描述
至此vManage升级完成了。
激活后设备需要重启,等待重启完成后继续操作。

升级vBond和vSmart

在这里插入图片描述
在这里插入图片描述
直接激活后重启。这个过程有点慢,需要将文件推到vBond和vSmart上。
成功后如下图:
在这里插入图片描述
首页看设备也上线了说明升级成功
在这里插入图片描述
在这里插入图片描述

下面添加vEdge

vEdge的证书认证
在这里插入图片描述
完成后Send to Controllers
在这里插入图片描述
完成后如下:
在这里插入图片描述
此时看到主界面上vEdge上线
在这里插入图片描述
查看相关链接命令:
vManage

vmanage# show control local-properties
personality                  vmanage
sp-organization-name         iteachs.com
organization-name            iteachs.com
certificate-status           Installed
root-ca-chain-status         Installed

certificate-validity         Valid
certificate-not-valid-before Mar 05 08:59:05 2020 GMT
certificate-not-valid-after  Jul 18 08:59:05 2021 GMT

dns-name                     10.1.1.2
site-id                      100
domain-id                    0
protocol                     dtls
tls-port                     23456
system-ip                    100.1.1.1
chassis-num/unique-id        1d83a485-e824-4836-ab82-00db7bea4c1c
serial-num                   F2F9B9947BE82084
retry-interval               0:00:00:19
no-activity-exp-interval     0:00:00:12
dns-cache-ttl                0:00:02:00
port-hopped                  FALSE
time-since-last-port-hop     0:00:00:00
number-vbond-peers           1

INDEX   IP                                      PORT
-----------------------------------------------------
0       10.1.1.2                                12346

number-active-wan-interfaces 2

                    PUBLIC          PUBLIC PRIVATE         PRIVATE                                 PRIVATE                               LAST
INSTANCE INTERFACE  IPv4            PORT   IPv4            IPv6                                    PORT    VS/VM  COLOR            STATE CONNECTION
----------------------------------------------------------------------------------------------------------------------------------------------------
0        eth0       10.1.1.1        12346  10.1.1.1        ::                                      12346     1/0   default          up    0:00:00:18
1        eth0       10.1.1.1        12446  10.1.1.1        ::                                      12446     0/0   default          up    0:00:00:16

vmanage#
vmanage# show control connections
                                   PEER                                                                        PEER                                          PEER
      PEER    PEER PEER            CONFIGURED        SITE       DOMAIN PEER                                    PRIV  PEER                                    PUB
INDEX TYPE    PROT SYSTEM IP       SYSTEM IP       ID         ID     PRIVATE IP                              PORT  PUBLIC IP                               PORT  ORGANIZATION            REMOTE COLOR    STATE UPTIME
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0     vedge   dtls 101.1.1.1       101.1.1.1       1          1      172.16.1.1                              12366 172.16.1.1                              12366 iteachs.com             default         up    0:00:01:47
0     vsmart  dtls 100.1.1.3       100.1.1.3       100        1      10.1.1.3                                12346 10.1.1.3                                12346 iteachs.com             default         up    0:00:07:24
0     vbond   dtls 100.1.1.2       100.1.1.2       0          0      10.1.1.2                                12346 10.1.1.2                                12346 iteachs.com             default         up    0:00:08:38
1     vedge   dtls 102.1.1.1       102.1.1.1       2          1      172.16.2.1                              12366 172.16.2.1                              12366 iteachs.com             default         up    0:00:01:57
1     vbond   dtls -               -               0          0      10.1.1.2                                12346 10.1.1.2                                12346 iteachs.com             default         up    0:00:08:39

vmanage#

vBond、vSmart、vEdge相关查看

vsmart# show control connections
                                                                                             PEER                                          PEER                 
      PEER    PEER PEER            SITE       DOMAIN PEER                                    PRIV  PEER                                    PUB                  
INDEX TYPE    PROT SYSTEM IP       ID         ID     PRIVATE IP                              PORT  PUBLIC IP                               PORT  REMOTE COLOR    STATE UPTIME
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0     vedge   dtls 101.1.1.1       1          1      172.16.1.1                              12366 172.16.1.1                              12366 default         up    0:00:03:31
0     vbond   dtls -               0          0      10.1.1.2                                12346 10.1.1.2                                12346 default         up    0:00:09:13
0     vmanage dtls 100.1.1.1       100        0      10.1.1.1                                12346 10.1.1.1                                12346 default         up    0:00:09:08
1     vedge   dtls 102.1.1.1       2          1      172.16.2.1                              12366 172.16.2.1                              12366 default         up    0:00:03:41
1     vbond   dtls -               0          0      10.1.1.2                                12346 10.1.1.2                                12346 default         up    0:00:09:13

vsmart#

vedge1# show control connections
                                                                                       PEER                                          PEER                                    CONTROLLER
PEER    PEER PEER            SITE       DOMAIN PEER                                    PRIV  PEER                                    PUB                                     GROUP
TYPE    PROT SYSTEM IP       ID         ID     PRIVATE IP                              PORT  PUBLIC IP                               PORT  LOCAL COLOR     STATE UPTIME      ID
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vsmart  dtls 100.1.1.3       100        1      10.1.1.3                                12346 10.1.1.3                                12346 default         up    0:00:04:05  0
vbond   dtls -               0          0      10.1.1.2                                12346 10.1.1.2                                12346 default         up    0:00:04:05  0
vmanage dtls 100.1.1.1       100        0      10.1.1.1                                12346 10.1.1.1                                12346 default         up    0:00:04:05  0

vedge1#

弄了半天才把设备弄上线,Site1和Site2之间还没有互通。。。其实已经做了2/3了,m不急下面继续~!

两站点之间路由做通

这步可以直接再vMange新建feature然后关联templete,然后将templete推到设备上实现,我嫌截图麻烦直接再设备上敲命令实现。其实没有体会到sd-wan带来的乐趣和快感。
直接贴命令

vEdge1:

vpn 0
 interface ge0/0
  nat
!##公网接口做NAT
vpn 10
 router
  ospf
   router-id 101.1.1.1
   default-information originate
   timers spf 200 1000 10000
   redistribute omp  ##将BGP的路由发布到OSPF
   area 0
    interface ge0/1
     network point-to-point
    exit
   exit
  !
 !
 interface ge0/1
  ip address 192.168.1.254/24
  no shutdown
 !
 ip route 0.0.0.0/0 vpn 0
 omp
  advertise ospf external  ##将OSPF的路由发布进BGP
 !
!

vEdge2:

vpn 0
 interface ge0/0
  nat
!##公网接口做NAT
vpn 10
 router
  ospf
   router-id 102.1.1.1
   default-information originate
   timers spf 200 1000 10000
   redistribute omp  ##将BGP的路由发布到OSPF
   area 0
    interface ge0/1
     network point-to-point
    exit
   exit
  !
 !
 interface ge0/1
  ip address 192.168.2.254/24
  no shutdown
 !
 ip route 0.0.0.0/0 vpn 0
 omp
  advertise ospf external  ##将OSPF的路由发布进BGP
 !
!

配置完成后查看相关邻居和路由

vedge1# show ospf neighbor
DBsmL -> Database Summary List
RqstL -> Link State Request List
RXmtl -> Link State Retransmission List
       SOURCE                                                              DEAD 
VPN    IP ADDRESS       INTERFACE  ROUTER ID        STATE        PRIORITY  TIMER  DBsmL  RqstL  RXmtL
-------------------------------------------------------------------------------------------------------
10     192.168.1.1      ge0/1      1.1.1.1          full         1         33     0      0      0

vedge1# show ip routes vpn 10
Codes Proto-sub-type:
  IA -> ospf-intra-area, IE -> ospf-inter-area,
  E1 -> ospf-external1, E2 -> ospf-external2,
  N1 -> ospf-nssa-external1, N2 -> ospf-nssa-external2,
  e -> bgp-external, i -> bgp-internal
Codes Status flags:
  F -> fib, S -> selected, I -> inactive,
  B -> blackhole, R -> recursive

                                            PROTOCOL  NEXTHOP     NEXTHOP          NEXTHOP
VPN    PREFIX              PROTOCOL         SUB TYPE  IF NAME     ADDR             VPN      TLOC IP          COLOR            ENCAP  STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
10     0.0.0.0/0           nat              -         ge0/0       -                0        -                -                -      F,S
10     1.1.1.1/32          ospf             IA        ge0/1       192.168.1.1      -        -                -                -      F,S
10     2.2.2.2/32          omp              -         -           -                -        102.1.1.1        default          ipsec  F,S
10     192.168.1.0/24      ospf             IA        ge0/1       -                -        -                -                -      -
10     192.168.1.0/24      connected        -         ge0/1       -                -        -                -                -      F,S
10     192.168.2.0/24      omp              -         -           -                -        102.1.1.1        default          ipsec  F,S

vedge1#

vedge2# show ospf neighbor
DBsmL -> Database Summary List
RqstL -> Link State Request List
RXmtl -> Link State Retransmission List
       SOURCE                                                              DEAD 
VPN    IP ADDRESS       INTERFACE  ROUTER ID        STATE        PRIORITY  TIMER  DBsmL  RqstL  RXmtL
-------------------------------------------------------------------------------------------------------
10     192.168.2.1      ge0/1      2.2.2.2          full         1         36     0      0      0

vedge2# show ip routes vpn 10
Codes Proto-sub-type:
  IA -> ospf-intra-area, IE -> ospf-inter-area,
  E1 -> ospf-external1, E2 -> ospf-external2,
  N1 -> ospf-nssa-external1, N2 -> ospf-nssa-external2,
  e -> bgp-external, i -> bgp-internal
Codes Status flags:
  F -> fib, S -> selected, I -> inactive,
  B -> blackhole, R -> recursive

                                            PROTOCOL  NEXTHOP     NEXTHOP          NEXTHOP
VPN    PREFIX              PROTOCOL         SUB TYPE  IF NAME     ADDR             VPN      TLOC IP          COLOR            ENCAP  STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
10     0.0.0.0/0           nat              -         ge0/0       -                0        -                -                -      F,S
10     1.1.1.1/32          omp              -         -           -                -        101.1.1.1        default          ipsec  F,S
10     2.2.2.2/32          ospf             IA        ge0/1       192.168.2.1      -        -                -                -      F,S
10     192.168.1.0/24      omp              -         -           -                -        101.1.1.1        default          ipsec  F,S
10     192.168.2.0/24      ospf             IA        ge0/1       -                -        -                -                -      -
10     192.168.2.0/24      connected        -         ge0/1       -                -        -                -                -      F,S

vedge2#

Site1和Site2测试互通

Site1#show ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 192.168.1.254 to network 0.0.0.0

O*E2  0.0.0.0/0 [110/10] via 192.168.1.254, 00:08:47, Ethernet0/0
      2.0.0.0/32 is subnetted, 1 subnets
O E2     2.2.2.2 [110/16777214] via 192.168.1.254, 00:03:50, Ethernet0/0
O E2  192.168.2.0/24 [110/16777214] via 192.168.1.254, 00:08:47, Ethernet0/0
Site1#
Site1#ping 2.2.2.2 so 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
Site1#
Site1#tra
Site1#traceroute 2.2.2.2 so
Site1#traceroute 2.2.2.2 source 1.1.1.1
Type escape sequence to abort.
Tracing the route to 2.2.2.2
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.1.254 0 msec 1 msec 0 msec
  2 192.168.2.254 1 msec 0 msec 1 msec
  3 192.168.2.1 1 msec *  1 msec
Site1#
Site1#
Site1#ping 100.100.100.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Site1#

至此实验全部完成,相关vMange的查看我也不截图了太多,各位自己参照实验做了看下。

总结

感觉这个Vipteal SD-WAN还是挺复杂,最关键的是设备上线的过程,尤其是证书和vEdge的许可处理。
网络的互通部分还是挺简单,手动敲命令和做模板都可以只是我喜欢命令行的简单粗暴。
还有到现在我还没有感觉到SDN和SD-WAN给我带来了什么乐趣和快感。。。

《Cisco Vipteal SD-WAN实验》上有6条评论

  1. 太厉害了,居然搭用eve搭了sd-wan,估计得用高配服务器搭吧。

  2. vedge-02# request root-cert-chain install scp://admin@x.x.x.x/home/admin/ROOTCA.pem vpn 0
    Uploading root-ca-cert-chain via VPN 0
    Copying … admin@x.x.x.x:/home/admin/ROOTCA.pem via VPN 0
    Warning: Permanently added ‘x.x.x.x’ (ECDSA) to the list of known hosts.
    viptela 16.2.11

    admin@x.x.x.x1‘s password:
    Permission denied, please try again.
    admin@x.x.x.x’s password:
    ROOTCA.pem 100% 1277 1.3KB/s 00:00
    Error: Cannot upload root certificate file on a software vedge. Please use Viptela approved symantec signed certificates.
    Failed to install the root certificate chain !!

    how can i resolved it

    1. vedge version must be higher than 17.2.0 to add a custom root certificate, otherwise symantec signed certificates can only be used .

发表评论

电子邮件地址不会被公开。 必填项已用*标注

解决 : *
15 − 8 =